Researchers at Perception Point write about CVE-2022-22583, a successor to Shrootless that could let attackers bypass Mac System Integrity Protection (SIP). It was patched yesterday in macOS Monterey 12.2, macOS Big Sur 11.6.3 and Security Update 2022-001 Catalina. Apple shared the credit for this CVE between three researchers: Mickey Jin (@patch1t), Ron Hass (@ronhass7) of Perception Point and an anonymous researcher.

Shrootless Upgrade

Perception Point says this new zero day is a successor to the one Microsoft found last year, dubbed “shrootless.” Microsoft researchers noticed that when the user installs an Apple-signed package, it is automatically executed by the service “system_installd.” If the package contains any pre/post-install scripts, they are also executed by “system_installd” and inherit the “com.apple.rootless.install.heritable” entitlement, which allows these scripts to fully bypass SIP’s filesystem restrictions.

If one of the pre/post-install scripts was a zsh script, “system_installd” would execute zsh (z-shell) which would source the “/etc/zshenv” file. SIP doesn’t restrict this file and it can be modified by root. Any code inside it would run and thus bypass SIP whenever an Apple-signed package with a zsh script is installed. Apple fixed it by stopping zsh from sourcing “/etc/zshenv.”

Perception Point found a macOS directory /tmp isn’t restricted by SIP. Here are the steps the team took:

  1. Create a virtual image file and mount it onto “/private/tmp”.
  2. Install an Apple-signed package with post-install scripts.
  3. Wait for the installer to finish the extraction of the scripts directory, and gather the random parts of the extracted path.
  4. Unmount the image file, thus reverting to the contents of “/private/tmp” before the extraction.
  5. Create the scripts directory by ourselves (with the random path we gathered earlier) and deposit there whatever scripts we want.

Any script we put as the “post-install script” inherits the “com.apple.rootless.install.heritable” entitlement from “system_installd” and is able to fully bypass SIP restrictions.

In macOS 12.2, Apple changed the extraction destination to a new directory: “/Library/Apple/System/Library/InstallerSandboxes.” Apple also prevents mount attempts onto the “/Library/ directory when SIP is enabled.

This article first appeared in The Mac Observer on January 27, 2022, written by Andrew Orr.